| *** gcb has joined #openstack-tc | 03:36 | |
| openstackgerrit | Alexander Chadin proposed openstack/governance master: Add watcher-tempest-plugin to watcher project https://review.openstack.org/489557 | 07:45 |
|---|---|---|
| openstackgerrit | Merged openstack/governance master: Update py35 goal status for nova https://review.openstack.org/487684 | 08:50 |
| openstackgerrit | Merged openstack/governance master: Add public cloud WG. https://review.openstack.org/489555 | 08:50 |
| *** sdague has joined #openstack-tc | 09:42 | |
| *** dtantsur|afk is now known as dtantsur | 09:55 | |
| *** openstackgerrit has quit IRC | 10:18 | |
| *** gcb has quit IRC | 12:56 | |
| *** marst has joined #openstack-tc | 13:58 | |
| *** hongbin has joined #openstack-tc | 14:00 | |
| *** emagana has joined #openstack-tc | 15:08 | |
| *** dtantsur is now known as dtantsur|afk | 15:46 | |
| *** marst has quit IRC | 16:16 | |
| *** marst_ has joined #openstack-tc | 16:16 | |
| *** openstack has joined #openstack-tc | 17:29 | |
| *** emagana has quit IRC | 18:03 | |
| *** emagana has joined #openstack-tc | 18:04 | |
| lbragstad | curious if anyone from the TC would be interested in hearing about an interesting interop case we hit in keystone | 18:09 |
| lbragstad | looking for advice on approaching a bug fix and if it requires a API version bump | 18:10 |
| *** morgan has joined #openstack-tc | 18:10 | |
| * morgan looks for lbragstad | 18:10 | |
| lbragstad | morgan: i just asked about 30 seconds before you joined :) | 18:10 |
| lbragstad | we have a bug in keystone that'd we like to fix https://bugs.launchpad.net/keystone/+bug/1705081 | 18:12 |
| openstack | Launchpad bug 1705081 in OpenStack Identity (keystone) "DELETE project API is failing in forbidden(403) error message" [High,Triaged] - Assigned to prashkre (prashkre) | 18:12 |
| lbragstad | the net of it is: | 18:12 |
| lbragstad | a deployment uses sql for storing resources like project/domains and it uses ldap for all identity information (e.g. users and groups) | 18:13 |
| lbragstad | since users have an attribute called `default_project_id`, keystone has a callback that is invoked when a project is deleted to go through the identity backend and unset all users who might have that project as their default project id | 18:13 |
| lbragstad | that way users aren't mislead about having authorization about a project that doesn't even exist | 18:13 |
| lbragstad | this works fine and dandy for SQL as the resource and identity backends | 18:14 |
| lbragstad | but when the identity backend is LDAP - a DELETE /v3/projects/{project_id} results in a 403 | 18:14 |
| lbragstad | the 403 is a result of the callback trying to "unset" project ids in the identity backend - which for ldap is read-only and raises a 403 | 18:15 |
| lbragstad | i guess the question is - can we fix this without a version bump (keystone hasn't implemented microversions yet) | 18:15 |
| lbragstad | or is there another approach we can take to make it so DELETE /v3/projects/{project_id} doesn't result in a 403 in deployments setup this way | 18:16 |
| morgan | the reason for the request to fix w/o a version bump is that it behaves differently depending on backend config. if we can't we have a solution that is really ugly, what ^ lbragstad just said | 18:16 |
| dhellmann | that sounds like a question we would refer to the api-wg | 18:16 |
| dhellmann | yeah, it's a shame the deployer choice is causing API behavior differences | 18:17 |
| morgan | keystone has done a relatively good job of avoiding that trap. | 18:17 |
| morgan | but sometimes we have edge cases like this | 18:17 |
| * dhellmann nods | 18:17 | |
| lbragstad | unfortunately =/ | 18:17 |
| morgan | that being said, this is a problem that cropped up within the last couple releases | 18:17 |
| morgan | when we removed read/write ldap | 18:18 |
| morgan | iirc | 18:18 |
| lbragstad | correct - we took a much more opinionated stance at that point | 18:18 |
| morgan | it always happened with r/o ldap, but very very few deployments used the r/o driver | 18:18 |
| morgan | it required a lot of extra config work to do it. and it would have raised a 5XX error back then if ldap was read-only but not set as such | 18:18 |
| morgan | so, basically this fix would be "fixing" an api break that snuck in - | 18:19 |
| dhellmann | yeah, it makes sense to me. like I said, I would confer with the api-wg to see if they have guidance | 18:20 |
| morgan | lbragstad: this sounds like a -ml topic | 18:21 |
| morgan | lbragstad: to me. | 18:21 |
| dhellmann | ++ | 18:21 |
| lbragstad | dhellmann: morgan ack - thanks for the advice | 18:21 |
| morgan | so we can get wg/tc input on the record (not that i don't trust dhellmann, just wider audience and not needing to chase people on irc) | 18:21 |
| dhellmann | it's also good to have the precedent in a searchable form for the next person to run into something like this | 18:22 |
| morgan | i get the feeling this is going to be a "fix it, make it consistently right" | 18:22 |
| morgan | but, *eh* never no | 18:22 |
| morgan | know* | 18:22 |
| morgan | crud i can't type today | 18:22 |
| *** openstack has joined #openstack-tc | 18:28 | |
| lbragstad | morgan: dhellmann done http://lists.openstack.org/pipermail/openstack-dev/2017-August/120678.html | 18:38 |
| *** emagana has quit IRC | 20:53 | |
| *** emagana has joined #openstack-tc | 20:54 | |
| *** emagana has quit IRC | 20:59 | |
| *** sdague has quit IRC | 21:08 | |
| *** emagana has joined #openstack-tc | 21:14 | |
| *** emagana has quit IRC | 22:23 | |
| *** emagana has joined #openstack-tc | 22:24 | |
| *** marst_ has quit IRC | 22:24 | |
| *** emagana has quit IRC | 22:29 | |
| *** emagana has joined #openstack-tc | 22:43 | |
| *** emagana has quit IRC | 22:43 | |
| *** emagana has joined #openstack-tc | 22:44 | |
| *** emagana has quit IRC | 22:47 | |
| *** hongbin has quit IRC | 23:19 | |
| *** lbragstad has quit IRC | 23:22 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!